Cryptography by parameterizing on elliptic curve

ABSTRACT

A device is controlled by a controller on the basis of a password. A determination is made at the device or at the controller, on the basis of a random value r 1,  of a point P(X,Y) on an elliptic curve in a finite body F q , q being an integer, according to: E a,b (x, y):x 3 +ax+b=y 2 . First and second parameters k and k′ are obtained such that P(X,Y)=F(K,k′), where F is a surjective function of F q ×F q , in F q . The first and second parameters are obtained in an encrypted format by encryption in accordance with the password. The first and second encrypted parameters are then transmitted to the controller. During the control, the function F is used, such that, whatever the values of z and z′ which are input elements of F q , F(z,z′) is a point on the elliptic curve and the input elements do not satisfy the equation.

PRIORITY CLAIM

This application is a 371 filing from PCT/FR2010/051339 filed Jun. 28,2010 which claims the benefit of French Application for Patent No.0954473 filed Jun. 30, 2009, the disclosures of which are herebyincorporated by reference.

TECHNICAL FIELD

The present invention relates to message cryptography based on the useof points on an elliptic curve, and more particularly said use in thefield of algorithms of the EKE (Encrypted Key Exchange) type.

BACKGROUND

Methods of authentication by password are based on the use of analgorithm of the EKE type. This type of algorithm is illustrated in FIG.1.

A device D 10 wishes to be authenticated on the basis of a password π ata controller C 11. Each of these entities knows the password π.Moreover, let us consider an elliptic curve E_(a,b), and a generator Gof the set of points on the elliptic curve, as public parameters. Theelliptic curve satisfies the following equation:

E _(a,b)(x,y):x ³ +ax+b=y ²   (1)

At a step 12, the device D 10 generates a random number r₁. Then, ittransmits this random number in the form of a point on the ellipticcurve to the controller 11. For this purpose, it determines a value V tobe transmitted satisfying:

V=r ₁ .G

This result is then encrypted with the password in the form E_(π)(r₁.G), E_(π) being an encryption function by password.

Then, the device sends a message 13 to the controller stating the valueE_(π)(r₁.G).

On receiving the message 13, in its turn the controller 11 generates arandom value r₂ at a step 14. Then it transmits this value in the formof a point on the elliptic curve, and transmits a message 15 to thedevice 10 stating the result:

E _(π)(r ₂ .G)

Following this exchange of random values r₁ and r₂ in encrypted form,the device 10 recovers at a step 16 the random value r₂ generated by thecontroller by deciphering, using a decryption function with passwordD_(π), the information contained in the message 15:

r ₂ .G=D _(π) E _(π)(r ₂ .G)

and the controller 11 recovers at a step 17 the random value r₁generated by the device 10 by deciphering the information contained inthe message 13:

r ₁ .G=D _(π) E _(π)(r ₁ .G)

Thus, following a protected exchange, each entity is able to calculate acommon key K:

K=r ₁ .r ₂ .G

This type of algorithm aims to exchange values in a form encrypted witha password or a key derived from a password. However, it should be notedthat according to a classical representation of an elliptic curvesatisfying equation (1) on a finite field F_(q), the exchanges describedwith reference to FIG. 1 can allow a potential attacker to deduceinformation relating to the password π. In fact, exchanging randomvalues in an encrypted form as described above, via the two messages 13and 15, supplies a redundancy of information which may allow the secretof the password to be broken. More precisely, at each listening-in, anattacker could test a password to decipher the information exchanged inmessages 13 and 15. He is then presented with two cases. In the firstcase, the decrypted information corresponds to a point on the curve andaccordingly the password is correct. In the second case, the decryptedinformation does not correspond to a point on the elliptic curve and thepassword is not discovered. By multiplying the listenings-in and theseparate passwords, it is thus possible to find the password belongingto a finite set of elements.

The present invention aims to improve the situation.

SUMMARY

A first aspect of the present invention proposes a method of controllinga device by a controller on the basis of a password; said methodcomprising the following steps, at the device or at the controller:

/1/ on the basis of a random value r₁, determine a point P(X,Y) on anelliptic curve, in a finite field F_(q), q being an integer, ofequation:

E _(a,b)(x,y):x ³ +ax+b=y ²   (1)

/2/ obtain first and second parameters k and k′, such that

P=F(k,k′)

where F is a surjective function of F_(q)×F_(q′) in F_(q)

/3/ obtain the first and second parameters in encrypted form byencryption as a function of the password; and

/4/ transmit said first and second encrypted parameters to thecontroller;

in which the function F is such that, regardless of z and z′ inputelements of F_(q), F(z,z′) is a point on the elliptic curve, and theinput elements do not satisfy equation (1).

Owing to these arrangements, it is possible to avoid the attacks such asdescribed above with respect to the prior art. In fact, under theseconditions it is no longer possible to test a password by determiningwhether the result obtained corresponds to a point (X,Y) on the ellipticcurve E_(a,b) since the function F always supplies a point on theelliptic curve as output regardless of the parameters that were suppliedas input, as the input parameters do not satisfy the classical equationof an elliptic curve. Ingeniously, it therefore envisages representing apoint on the elliptic curve in a different way, using this surjectivefunction F, so as not to supply any information to a potential attackerthat can enable him to deduce the password used.

In order to determine said function F allowing a point P(X,Y) on anelliptic curve to be represented according to some otherparameterization than that of equation (1), it is possible to use as abasis an invertible function f_(a,b), the inverse function f_(a,b) ⁻¹ ofwhich makes it possible to recover a point on the curve, according totwo parameters that do not satisfy equation (1), from an inputparameter.

The function F can be written:

F(k, k′)=f′(k′)+f _(a,b)(k)

where f_(a,b) is an invertible function, based on the coefficients a andb of the elliptic curve, taking an input parameter and supplying a pointon the elliptic curve and

where f′ is a function generating a point on the elliptic curve as afunction of a parameter; and

where, at step /2/, the parameters k and k′ are obtained by thefollowing steps:

-   -   randomly generate a value of the parameter k′;    -   calculate a value of f′(k′);    -   determine a value of the parameter k from the following        equation:

k=f _(a,b) ⁻¹(P(X,Y)−f′(k′))

Advantageously, by combining a function f′ that makes it possible togenerate a point on the elliptic curve on the basis of a parameter k′ ofrandom value and an invertible function f_(a,b) based on thecoefficients of the elliptic curve a and b, it is then possible toobtain a function F that allows parameterization of a point on the curvewhile avoiding the attacks described.

The function f′ can in particular be written:

f′(k′)=k′.G

where G is the generator of the set of points on the elliptic curve; and

a value of the parameter k is determined from the following equation:

k=f _(a,b) ⁻¹(P(X,Y)−k′.G)

Under these conditions, the function F can be written:

F(k,k′)=f _(a,b)(k)+k′.G

Alternatively, the function f′ can be written:

f′(k′)=f _(a,b)(k′)

and

a value of the parameter k is determined from the following equation:

k=f _(a,b) ⁻¹(P(X,Y)−f _(a,b)(k′))

Under these conditions, the function F can be written as follows:

F(k,k′)=f _(a,b)(k)+f _(a,b)(k′)

Thus, generally, for parameterizing a point P(X,Y) on the curveaccording to the present invention, a first step envisages obtaining apoint on the curve for a value of the parameter k′. Then a point on thecurve is determined which corresponds to the subtraction of the pointP(X, Y) to be represented and of the point obtained at the first step.Then another point on the elliptic curve is obtained. Next, the inversefunction of f_(a,b) is applied to this point and a value of parameter kis obtained. The point P is then represented in the form of the pair ofparameters k and k′ that does not satisfy equation (1).

In one embodiment of the present invention, the function F comprises atleast one invertible function f_(a,b), such that

∀P=(X,Y)εE _(a,b) , |f _(a,b) ⁻¹(X,Y)|<L

where L is an integer having a relatively small value in relation to thenumber of points on the elliptic curve (1).

The fact that function F comprises a function f_(a,b) means thatapplication of the function F to first and second parameters correspondsto applying this function f_(a,b) to at least one of the first andsecond parameters. We can thus envisage, on the one hand, generating apoint on the curve on the basis of the first parameter and, on the otherhand, applying the inverse function of f_(a,b) to obtain the secondparameter. By following this procedure, a point on the elliptic curvecan be represented according to these two parameters.

Thus, application of the function F to first and second parameters cancorrespond to application, to at least one of the two parameters, of afunction f_(a,b) such that

∀P(X,Y)εE _(a,b) ,|f _(a,b) ⁻¹(X,Y)|<L   (4)

where L is an integer having a relatively small value in relation to thenumber of points on the elliptic curve (1).

In other words, the function f_(a,b) considered here has a pre-imagecorresponding to a set of points P on the elliptic curve E_(a,b) boundedby a quite small maximum value relative to the number of points on theelliptic curve. In fact, if this is not so, it is then possible toinvert the function f_(a,b) simply by taking a number at random. In thiscontext, it can for example be considered that L is smaller than 1/2⁸⁰times the number of points on the curve.

By using an invertible function satisfying conditions (4), it is easy toobtain a function F for representing a point on the curve via parametersk and k′ which do not permit an attack on the password used forencrypting them, such as that described above.

In one embodiment of the present invention, the function f_(a,b) makes apair of parameters (x, y) correspond to a parameter u such that x is theonly solution of the following equation:

x ³ +ax+b−(ux+Q(u,a,b))²=0   (5)

and y satisfies:

y=u.x+Q(u,a,b)

This equation (5) is obtained by replacing y in equation (1) by the termux+Q(u,a,b). The term Q(u,a,b) denotes a rational fraction in thevariables u, a and b.

The fact that this equation (5) only allows a single root is equivalentto the fact that the discriminant denoted Δ(u,a,b) of the following termis not a square whatever the parameter u:

x ³ +ax+b−(ux+Q(u,a,b))²

For q=2 mod 3, we can write:

Δ(u,a,b)=−3R(u,a,b)²

where R is a rational fraction.

In fact, for p=2mod3, −3 is not a square and therefore −3R(u,a,b)² isnever a squared term.

Since equation (5) only allows a single root then the following term isa polynomial of degree 1:

gcd(x ³ +ax+b−(ux+Q(u,a,b))² ,X ^(P) −X)

where gcd is a large common denominator.

The root of this polynomial, denoted X_(P), is an abscissa of a point onthe elliptic curve. Finally, the point with abscissa X_(P) and ordinateu.X_(P)+Q(u,a,b) is a point on the curve.

In one example, a rational fraction Q(u,a,b) that satisfies thefollowing equation can be taken into consideration:

${Q( {u,a,b} )} = \frac{{236196\mspace{11mu} u^{2}{ab}} + {405\; u^{8}a} - {20412\; u^{6}b} - {45927\; u^{4}a^{2}} - u^{12} + {19683\; a^{3}}}{54\; {u( {{{- 162}\mspace{11mu} a\; u^{4}} + {2187\; a^{2}} - u^{8} + {2916\mspace{11mu} {bu}^{2}}} )}}$

In one embodiment, the function f_(a,b) can advantageously be defined asfollows in F_(q), q being equal to 2 mod 3. It makes a pair ofparameters (x, y) correspond to a parameter u, such that:

x = (v² − b − u⁶/27)^(1/3) + u²/3 and y = u ⋅ x + v with$v = {\frac{{3\; a} - u^{4}}{6\; u} = {Q( {u,a,b} )}}$and  with f_(a, b)(0) = 0.

Such a function is invertible. Thus, for a P(X,Y) on the elliptic curve,a pre-image of the point by the function f_(a,b) is a solution of thefollowing equation:

u ⁴−6u ² x+6uy−3a=0

Now, a polynomial equation of this kind can easily be inverted.

Moreover, the set of pre-image points P of this function f_(a,b) isbounded by L that is small relative to the number of points on theelliptic curve.

Thus, this function satisfies the characteristics defined previously.

We can also envisage basing the function F on the use of a functionf_(a,b) defined on the basis of polynomials satisfying Skalba'sequation.

It should be noted that polynomials satisfying Skalba's equality aredefined in the document ‘Rational points on certain hyperelliptic curvesover finite fields’ by Maciej Ulas, published 11 Jun. 2007. Thesefunctions are invertible. In fact, given polynomials X₁(k), X₂(k), X₃(k)and U(k) satisfying Skalba's equality, i.e. satisfying:

f(X ₁(k)).f(X ₂(k)).f(X ₃(k))=U(k)²

where f is the polynomial that defines the elliptic curve E_(a,b).

More precisely, f satisfies the equation:

f(x)=y ²

where x and y are elements of F_(q) ², and the pair (x,y) represents apoint on E_(a,b).

f_(a,b)(k) is defined as being the point P=(X_(i)(k),f(X_(i)(k))^(1/2)), where i is such that f(X_(i)(k)) is a square inF_(q). Thus, to invert this function f_(a,b), given a point P=(X,Y), wecalculate the solutions k_(s) of the three polynomial equations:

X ₁(k _(s))−X=0

X ₂(k _(s))−X=0

X ₃(k _(s))−X=0

Each of these solutions is a pre-image of P by f_(a,b).

In the case where F(k,k′) is written:

F(k,k′)=f_(a,b)(k)+f _(a,b)(k′)

We can advantageously obtain a uniform distribution of the points,output values of f_(a,b), for a uniform distribution of input values. Inthis case, if the input values are randomly determined, then the outputvalues also have a random distribution.

By following this procedure, it is possible to avoid attacks based on astatistical analysis of values used for the parameter, which couldsupply information. In fact, in the case where the inverse of thisfunction f_(a,b) on a point P on the elliptic curve corresponds to aplurality of values of the input parameter of this inverse function, itis possible that some of these values recur more often than othersaccording to a statistical law. Thus, if the attacker knows thisstatistical law, by testing a password on the information exchanged, hecan decide whether or not the values of the parameter exchanged followthis law. He can thus deduce from this whether the password tested iscorrect or not.

In order to avoid this type of attack, it can be advantageous to employan algorithm such as that described below.

D_(i) denotes the set of points on the elliptic curve E_(a,b) which hasexactly a number i of pre-images by the function f_(a,b). In the exampledescribed below, five sets are defined: D₁, D₂, D₃, D₄ and D₅.

GEN denotes a function that generates, randomly and uniformlydistributed, points on the elliptic curve. Let

${\delta_{i} = \frac{i}{L}},$

a probability associated with the set D_(i).

For t=0 at T−1, where T is an integer

-   -   generate a point P_(t) with the function GEN;    -   if P_(t) is an element of D0, then go to the start;    -   If Pt is an element of Di        -   Select at random a value b between 0 and 1 satisfying:

Pr(b=0)=δ_(i)

-   -   -   If b is equal to 1, then go to step (1);        -   Otherwise

    -   select at random an element u in the set f_(a,b) ⁻¹(P_(t))

    -   return u

It should be noted that, to obtain a 1-½^(k) probability of success, itis sufficient to have T equal to a polynomial evaluated in k of degree1, in other words T is a multiple of k.

Moreover, the following steps can be employed:

-   -   receive a message stating first and second parameters in a form        encrypted with the password;    -   decipher the first and second parameters and obtain parameters p        and p′; and    -   calculate a common secret value K with the controller according        to the following equation:

K=r ₁ .F(p,p′)

where r₁ is the random value used at step /1/.

Thus, the device and the controller can finally have a common key attheir disposal without exchanging information that puts the secrecy ofthe password in jeopardy.

A second aspect of the present invention proposes an electronic entitycomprising means suitable for implementing a method of control accordingto the first aspect of the present invention.

A third aspect of the present invention proposes a system of control bypassword comprising a first electronic entity according to the secondaspect as controller and a second electronic entity according to thesecond aspect as device to be controlled.

BRIEF DESCRIPTION OF THE DRAWINGS

Other aspects, aims and advantages of the invention will become clear onreading the description of one of its embodiments.

The invention will also be better understood with the aid of thefollowing figures:

FIG. 1, already described, illustrates the main steps of a method ofcontrol according to the prior art;

FIG. 2 shows the main steps of a method of control according to oneembodiment of the present invention;

FIG. 3 illustrates an implementation of a method of control between adevice and a controller according to one embodiment of the presentinvention; and

FIG. 4 illustrates a device and a controller according to one embodimentof the present invention.

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 2 illustrates the main steps of a method of control according toone embodiment of the present invention.

At a step 21, a point P=(X,Y) on an elliptic curve in a finite fieldF_(q), with q an integer, is determined on the basis of a random valuer₁. Then, at a step 22, first and second parameters k and k′ areobtained, such that

P=F(k,k′)

where F is a surjective function such as of F_(q)×F_(q′) in F_(q).

The parameters thus obtained make it possible to represent the point Pingeniously so as to protect the secrecy of the password duringexchanges between the device and the controller.

At a step 23, the first and second parameters are obtained in encryptedform by encryption as a function of the password πE_(π)(k,k′).

In this ingenious form, the random value r₁ can advantageously betransmitted, at a step 24, from the device to be controlled to thecontroller, or from the controller to the device to be controlled so asto generate a secret common key.

The function F is such that, whatever z and z′ element of F_(q), F(z,z′)is a point on the elliptical curve and the elements z and z′ do notsatisfy equation (1).

FIG. 3 illustrates an exchange of messages between a device to becontrolled 10 and a controller 11 according to one embodiment of thepresent invention.

The device to be controlled D 10 generates firstly at a step 31 a randomvalue r₁. When the order of the set of points on the elliptical curve isan integer N, then r₁ can be taken at random by the set of values: [0,N−1].

Then, starting from this random value, a point P=(X,Y) on the ellipticcurve E_(a,b) is generated using a generator G. Said generator is suchthat, for any point P on the elliptic curve, there is a value h suchthat:

P=h.G

Thus, a point P₁ is obtained such that:

P ₁ =r ₁ .G

Then, values of the parameters k₁ and k₁′ are determined, at a step 33,for representing the point P₁ according to parameters different from itscoordinates X and Y, which, for their part, satisfy equation (2).

In order to determine these parameters k₁ and k₁′, firstly a randomvalue can be generated for the parameter k₁′. Then, a point on theelliptic curve P_(k1) corresponds to this random value k₁′, either byapplying a function f_(a,b) that makes coordinates x, y of a point onthe curve correspond to a parameter, or by using a generator G of thepoints on the elliptic curve.

Then, a value of the parameter k₁ is obtained, by applying the inverseapplication of f_(a,b) to the point corresponding to a subtraction inthe group of points on the elliptic curve: P(X,Y)−P_(k1).

The parameters k₁ and k₁′ represent the point P(X,Y). Next, the firstand second parameters obtained previously are encrypted by an encryptionfunction E_(π) based on the password π, to transmit them to thecontroller via a message 34.

In a symmetrical fashion, the controller generates a random value r₂ ata step 35. Then it transforms this value into a point P₂ on the ellipticcurve, at a step 36. Then, as described previously at step 33, thecontroller obtains respective values of the first and second parametersk₂ and k₂′, at a step 37. Then, it encrypts these values beforetransmitting them to the device to be controlled 10, via a message 38.

The device to be controlled 10 therefore has at its disposal the randomvalue r₁, the values k₂ and k₂′ and the function F.

Thus, at a step 39, it recovers the point P₂:

P ₂ =F(k ₂ ,k′ ₂)

It therefore obtains a secret key K shared with the controller butwithout having supplied any information about the password, whichsatisfies:

K=r ₁ .r ₂ .G

The controller recovers the secret key K in a symmetric fashion at astep 301.

The function F as defined above can be written in a different form. Thefollowing sections describe different representations of this point Pwhich advantageously makes it possible not to supply redundancy ofinformation during encrypted exchanges of the random values.

The function F is surjective of F_(q)×F_(q)′ in F_(q), such that:

P=F(k,k′)   (3)

and such that, for any pair of values (k,k′), P is a point on theelliptic curve, without equation (1) being satisfied by k and k′.

In such a context, advantageously, no information can be deduced aboutthe password, on the basis of exchanges of the random values exchanged,in contrast to the prior art. In fact, the pair of values (k,k′) is thenexchanged in encrypted fashion between the device and the controller.But, whatever the password tested by a potential attacker to recoverthis pair of values, it is impossible to determine whether this passwordis correct or not, since any result obtained corresponds to a point onthe elliptic curve, without equation (1) being satisfied by k and k′.

Such a representation can be based on advantageous characteristics of afunction f_(a,b)(U) that has the following characteristic:

∀PεE _(a,b) ,|f _(a,b) ⁻¹(P)|<L

with L an integer.

In other words, the size of the pre-image set of this function isbounded by a small number L relative to the number of points on theelliptic curve.

By considering the following function f_(a,b)(u), advantageously afunction F can be determined according to one embodiment of the presentinvention, which makes a pair of parameters (x, u.x+v) in F_(q) ²correspond to a parameter u in F_(q), such that:

x = (v² − b − u⁶/27)^(1/3) + u²/3 and$v = \frac{{3\; a} - u^{4}}{6\; u}$ putting f_(a, b)(0) = 0.

The function F can then be written:

F(k,k′)=f _(a,b)(k)+f _(a,b)(k′)

or

F(k,k′)=f _(a,b)(k)+k′.G

It can also be considered that f_(a,b) is a function obtained frompolynomials satisfying Skalba's equality:

f(X ₁(k)).f(X ₂(k)).f(X ₃(k))=U(k)²

in which X₁(k), X₂(k), X₃(k) and U(k) are polynomials satisfyingSkalba's equality, as defined for example in the document ‘Rationalpoints on certain hyperelliptic curves over finite fields’ by MaciejUlas, published 11 Jun. 2007. F _(a,b)(k) is defined here as(X_(i)(k),f(X_(i)(k))^(1/2)) where i is such that f(X_(i)(k)) is asquare in F_(q).

FIG. 4 illustrates a control system comprising a device to be controlledand a controller according to one embodiment of the present invention.

Such a control system comprises at least one electronic entity as deviceto be controlled 10, and a control entity or controller 11 according toone embodiment of the present invention. Such an electronic entity,whether it is used as device to be controlled or as controller, cancomprise:

-   -   a determination unit 41 suitable for determining a point P(X,Y)        on an elliptic curve in a finite field F_(q), q being an        integer, on the basis of a random value r₁, the elliptic curve        satisfying the equation:

E _(a,b)(x,y):x ³ +ax+b=y ²   (1)

-   -   an obtaining unit 42 suitable for obtaining first and second        parameters k and k′, such that

P=F(k,k′)

where F is a surjective function of F_(q)×F_(q′) in F_(q),

-   -   an encryption unit 43 suitable for obtaining first and second        parameters in encrypted form by encryption as a function of the        password; and    -   an interface unit 44 suitable for transmitting said first and        second encrypted parameters to the controller;

the function F being such that, whatever z and z′ input elements ofF_(q), F(z,z′) is a point on the elliptic curve and the input elementsdo not satisfy equation (1).

The encryption function by password E_(π) can be defined differently. Ittakes a bit string as input parameter and returns a bit string asoutput. Nevertheless it is necessary, to ensure passwordconfidentiality, that the value returned does not give information aboutthe password. Thus, two cases can be distinguished:

-   -   either the password is used as encryption key of a classical        encryption function,    -   or the password is an index which, in a database, points to the        value of the public parameters of the elliptic curve.

In both cases, the encryption algorithm can proceed as follows, fortransforming a value of a parameter k or k′ into a bit string, and thefollowing method can be applied:

Select a random value r. Then transform a value v of a parameter into abit string by calculating:

v′=v+r.q′

with q′ corresponding either to q or to N, q being the number ofelements of the basic body F_(q), N being the number of points on theelliptic curve. It is then possible to represent v′ by a bit string.

In the case when the password π is an index, v′ is the encrypted valueof v under the password, as only the person knowing the publicparameters (q or N) can find the value of v.

In the case when the password is used as encryption key of a classicalencryption function, it is sufficient to encrypt v′ by using theencryption function E_(π).

Thus, on the receiving side, in the first case, v can be recovered bycalculating v′ mod q′. In the second case, it is necessary to decipherthe bit string sent by the decryption function, in order to find v′ andfinally be able to calculate v by calculating v′ mod N.

The present invention can be applied advantageously in any type ofcryptographic calculation using elliptic curves. It can in particular beadvantageous in protocols for authentication by password, such as PACE(Password Authenticated Connection Establishment). In this case, itallows an improvement in calculation performance, while not allowing anyattack linked with the execution time of the cryptographic calculation.

The present invention can also be applied advantageously in the contextof privacy protocols, such as those used for checking electronicidentity documents, such as electronic passports. In fact, listening inon the protocol presented does not make it possible to find the publicparameters of the elliptic curve used, in contrast to the prior art.

1. Method of control of a device by a controller on the basis of apassword; said method comprising the following steps, at the device orat the controller: /1/ on the basis of a random value r₁, determining apoint P(X,Y) on an elliptic curve, in a finite field F_(q), q being aninteger, of equation (1):E _(a,b)(x,y):x ³ +ax+b=y ²   (1) /2/ obtaining first and secondparameters k and k′, such thatP(X,Y)=F(k,k′) where F is a surjective function of F_(q)×F_(q′) inF_(q), /3/ obtaining first and second parameters in encrypted form byencryption as a function of the password; and /4/ transmitting saidfirst and second encrypted parameters to the controller; in which thefunction F is such that, regardless of z and z′ input elements of F_(q),F(z,z′) is a point on the elliptic curve, and the input elements do notsatisfy equation (1).
 2. Method of control according to claim 1, inwhich the function F is written:F(k,k′)=f′(k)+f _(a,b)(k) where f_(a,b) is an invertible function, basedon the coefficients a and b of the elliptic curve, taking an inputparameter and supplying a point on the elliptic curve and where f′ is afunction generating a point on the elliptic curve as a function of aparameter; and in which, at step /2/, the parameters k and k′ areobtained according to the following steps: randomly generating a valueof the parameter k′; calculating a value of f′(k′); determining a valueof the parameter k according to the following equation:k=f _(a,b) ⁻¹(P(X,Y)−f′(k′)).
 3. Method of control according to claim 2,in which the function f is written:f′(k′)=k′.G with G the generator of the set of points on the ellipticcurve; and in which a value of the parameter k is determined accordingto the following equation:k=f _(a,b) ⁻¹(P(X,Y)−k′.G).
 4. Method of control according to claim 2,in which the function f′ is written:f′(k′)=f _(a,b)(k′) and in which a value of the parameter k isdetermined according to the following equation:k=f _(a,b) ⁻¹(P(X,Y)−f _(a,b)(k′)).
 5. Method of control according toclaim 1, in which the function F comprises at least one invertiblefunction f_(a,b), obtained by means of polynomials X₁(k), X₂(k), X₃(k)and U(k) satisfying Skalba's equation:f(X ₁(k)).f(X ₂(k)).f(X ₃(k))=U(k)² where f is the polynomial thatdefines the elliptic curve E_(a,b).
 6. Method of control according toclaim 5, in which the function f_(a,b) makes a pair of parameters (x,y)in F_(q) ² correspond to a parameter u in F_(q), where q is equal to 2mod 3, such that: x = (v² − b − u⁶/27)^(1/3) + u²/3 and y = u ⋅ x + vwith $v = \frac{{3\; a} - u^{4}}{6\; u}$ and f_(a, b)(0) =
 0. 7.Method of control according to claim 1, further comprising the followingsteps: receiving a message indicating the first and second parameters ina form encrypted with the password; decrypting the first and secondparameters and obtain parameters p and p′; and calculating a commonsecret value K with the controller according to the following equation:K=r ₁ .F(p,p′) where r₁ is the random value used at step /1/. 8.Electronic entity in a system for control by password comprising: adetermination unit suitable for determining a point P(X,Y) on anelliptic curve in a finite field F_(q), q being an integer, on the basisof a random value r₁, the elliptic curve being of equation:E _(a,b)(x,y):x ³ +ax+b=y ²   (1) an obtaining unit suitable forobtaining first and second parameters k and k′, such thatP=F(k,k′) where F is a surjective function of F_(q)×F_(q′) in F_(q), anencryption unit suitable for obtaining the first and second parametersin encrypted form by encryption as a function of the password; and aninterface unit suitable for transmitting said first and second encryptedparameters to the controller; the function F being such that, whatever zand z′ input elements of F_(q), F(z,z′) is a point on the ellipticcurve, and the input elements do not satisfy equation (1).
 9. Electronicentity, comprising means suitable for implementing a method of controlwhich performs the following stem /1/ on the basis of a random value r₁,determining a point P(X,Y) on an elliptic curve, in a finite fieldF_(q), q being an integer, of equation (1):E _(a,b)(x,y):x ³ +ax+b=y ² /2/ obtaining first and second parameters kand k′, such thatP(X,Y)=F(k,k′) where F is a surjective function of F_(q)×F_(q′) inF_(q), /3/ obtaining first and second parameters in encrypted form byencryption as a function of a password; and /4/ transmitting said firstand second encrypted parameters; in which the function F is such that,regardless of z and z′ input elements of F_(q), F(z,z′) is a point onthe elliptic curve, and the input elements do not satisfy equation (1).10. (canceled)
 11. The system of claim 9, wherein the electronic entitycomprises a device controlled by a controller on the basis of thepassword.
 12. The system of claim 9, wherein the electronic entitycomprises a controller operable to control a device on the basis of thepassword.